Watermark insertion apparatus and watermark extraction apparatus

ABSTRACT

The present invention generates watermark from ID information that uniquely identifies a program distribution destination, inserts the generated watermark in a program, and prevents the program from operating correctly if the watermark is tampered with, and also inserts the same watermark verification code in a program regardless of the distribution destination. By this means, it is possible to prevent detection of watermark verification code constituting a watermark by means of collusion attack.

TECHNICAL FIELD

The present invention relates to a watermark insertion apparatus thatinserts a watermark in a program in order to prevent and suppressillegal use and distribution of the program, and a watermark extractionapparatus.

BACKGROUND ART

With the advance of computer networks, it has become common for computerprograms to be distributed via networks. As a computer program caneasily be duplicated, there is a possibility of illegal secondarydistribution of program duplicates, and theft of or tampering withalgorithms in programs. There is thus a need to protect programs fromsuch illegal use.

One example of a conventional program protection technology is a methodwhereby an electronic watermark is inserted in a program. With thismethod, a program is distributed with different watermark embedded foreach distribution destination. Then, in the event of illegal use,watermark is extracted from the illegal user's program, and thatwatermark is analyzed. By this means, the source of circulation caneasily be detected.

An actual watermark insertion method is disclosed, for example, inUnexamined Japanese Patent Publication No.2000-76064 (pages 3-4, FIG. 2,FIG. 7).

With this method, code with no dependency relationship to the order ofexecution is first detected. Next, a dummy variable operation isinserted in the detected part. Then the order of execution of thedetected part containing the dummy variable operation is switched aroundrandomly.

By performing such processing, a mechanism is implemented that changesthis order of execution as electronic watermark for each distributiondestination.

However, a problem with the conventional method of inserting anelectronic watermark in a program is that it is easy to alter or deletea water mark based on collusion attack. “Collusion attack” is an attackmethod whereby watermark data insertion locations are identified byfinding differences in a plurality of programs in which watermarks havebeen inserted.

When different watermark is inserted in a program for each distributiondestination, if differences between programs distributed to eachdistribution destination are found, only the locations at whichwatermarks have been inserted will surface as differences. There is thusa problem in that watermark insertion locations can easily be identifiedand watermark can easily be deleted or altered.

DISCLOSURE OF INVENTION

It is an object of the present invention to prevent easy generation of aprogram that does not have a watermark and operates normally, byinserting a watermark in such a way that the watermark insertionlocation cannot be identified.

The present invention generates watermark from ID information thatuniquely identifies a program distribution destination, inserts thegenerated watermark in a program, and prevents the program fromoperating correctly if the watermark is tampered with, and also insertsthe same watermark verification code to examine whether the watermark istampered with in a program regardless of the distribution destination.

By this means, it is possible to prevent detection of watermarkverification code constituting a watermark by means of collusion attack.As a result, a distribution destination cannot generate a program thatdoes not have a watermark and operates normally, and thus is not able tocirculate a program illegally.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a configuration diagram of an illegal distribution preventionsystem implemented by means of watermark insertion according toEmbodiment 1 of the present invention;

FIG. 2 is a configuration diagram of a watermark insertion apparatusaccording to Embodiment 1;

FIG. 3 is a configuration diagram of a watermark extraction apparatusaccording to Embodiment 1;

FIG. 4 is a flowchart showing the operation of a watermark insertionsection according to Embodiment 1;

FIG. 5 is a drawing showing program code generated when Embodiment 1 isapplied;

FIG. 6 is a flowchart showing the operation of a watermark detectionsection of Embodiment 1;

FIG. 7 is a flowchart showing the operation of a watermark insertionsection according to Embodiment 2 of the present invention;

FIG. 8 is a drawing showing program code generated by a watermarkinsertion section according to Embodiment 2;

FIG. 9 is a flowchart showing the operation of a watermark insertionsection according to Embodiment 3 of the present invention;

FIG. 10 is a drawing showing program code generated by a watermarkinsertion section according to Embodiment 3;

FIG. 11 is a configuration diagram of an illegal distribution preventionsystem implemented by means of watermark insertion according toEmbodiment 4 of the present invention;

FIG. 12 is a configuration diagram of a watermark insertion apparatus inEmbodiment 5 of the present invention;

FIG. 13 is a flowchart showing the operation of a dummy code insertionsection and watermark insertion section in Embodiment 5;

FIG. 14 is an example of program code generated by a watermark insertionsection in Embodiment 5;

FIG. 15 is a flowchart of the operation of a watermark detection sectionin Embodiment 5;

FIG. 16 is a flowchart of the operation of a watermark insertion sectionof Embodiment 6 of the present invention; and

FIG. 17 is a drawing showing program code generated by a watermarkinsertion section according to Embodiment 6.

BEST MODE FOR CARRYING OUT THE INVENTION

(Embodiment 1)

An illegal program distribution prevention system comprising a watermarkinsertion apparatus and watermark extraction apparatus according toEmbodiment 1 of the present invention will now be explained withreference to the accompanying drawings.

FIG. 1 is a configuration diagram of an illegal distribution preventionsystem implemented by means of watermark insertion according toEmbodiment 1.

First, at the time of program distribution, the distribution source 10performs distribution with a different watermark inserted by means of awatermark insertion apparatus 20 for each of distribution destinations40 a and 40 b (it is assumed that secondary distribution by distributiondestinations is not authorized).

By performing distribution with watermarks embedded in this way, in theevent of program circulation via illegal secondary distribution, forexample, distribution source 10 can confirm the distribution destinationby extracting, by means of a watermark extraction apparatus 30, thewatermark from the program circulated to the circulation destination 50,and identify circulation source (distribution destination) 40 a or 40 b.

Furthermore, distribution destinations 40 a and 40 b will fearidentification as the circulation source, and will refrain from illegalsecondary distribution.

In this way, the illegal distribution prevention system suppressesillegal distribution by means of watermarks.

Next, watermark insertion apparatus 20 according to Embodiment 1 will bedescribed using FIG. 2. FIG. 2 is a configuration diagram of a watermarkinsertion apparatus according to Embodiment 1.

Watermark insertion apparatus 20 is provided with a program inputsection 201. Program input section 201 is a means of inputting programcode that inputs a watermark. Program input section 201 outputs programcode to a watermark insertion section 202.

Watermark insertion section 202 is a means of generating a watermark tobe actually embedded in a program from ID information generated by an IDinformation generation section 205, and inputting the watermark toprogram code output from program input section 201. If the program codeoutput by program input section 201 is source code, watermark insertionsection 202 compiles the source code and passes the watermark inputlocation to a watermark information storage section 206 as an assemblercode line number.

A program output section 203 is a means whereby watermark insertionsection 202 outputs input program code.

A watermark data input section 204 inputs watermark data. The inputwatermark data is information that uniquely specifies a distributiondestination, comprising the distribution destination address, telephonenumber, company, e-mail address, and so on. Distribution sourceinformation may also be input in the watermark data.

ID information generation section 205 generates ID information that canbe uniquely determined from watermark data input by watermark data inputsection 204. ID information may be the input data itself, or may be dataobtained by encryption of the input data. Also, ID information may be anID for uniquely specifying watermark data in a database holdingwatermark data.

In embodiments of the present invention, a mode is used wherebywatermark is generated based on ID information, but it is not absolutelynecessary for watermark to be generated based on ID information, and itis sufficient to be able to specify a distribution destination uniquelyfrom watermark. For example, it is also acceptable to enable adistribution destination to be uniquely specified by inserting asequence number 1 to N in software as watermark, distributing sequencenumber i software to distribution destination A, distributing sequencenumber j software to distribution destination B, and so forth.

Watermark information storage section 206 is a means of storing aninsertion location of a watermark inserted by watermark insertionsection 202. Specifically, the assembly code line number of the code inwhich a watermark is inserted is stored.

Next, watermark extraction apparatus 30 according to Embodiment 1 willbe described using FIG. 3. FIG. 3 is a configuration diagram ofwatermark extraction apparatus 30 according to Embodiment 1.

Program input section 301 is a means of inputting a program in which awatermark is input.

A watermark detection section 302 disassembles a program output fromprogram input section 301, and extracts an input watermark from thewatermark insertion location (assembler code line number) obtained froma watermark information storage section 305. Watermark detection section302 then generates ID information from the extracted watermark, andpasses this ID information to an ID information storage section 304.

ID information storage section 304 is a means of generating distributiondestination information from ID information obtained from watermarkdetection section 302. When ID information is a database data ID, IDinformation storage section 304 obtains distribution destinationinformation by extracting data from the ID. When ID information isdistribution destination information encryption data, ID informationstorage section 304 obtains distribution destination information byperforming decryption.

Watermark information storage section 305 is a means of storing awatermark insertion location of a distributed program. Watermarkinsertion location information is obtained from watermark informationstorage section 206 of watermark insertion apparatus 20.

Output section 303 is a means of outputting obtained distributiondestination information.

Next, watermark insertion section 202 according to Embodiment 1 will bedescribed using FIG. 4. FIG. 4 is a flowchart showing the operation ofwatermark insertion section 202 according to Embodiment 1.

First, watermark insertion section 202 generates, by means of generationfunction F(1) , watermark X1 and X2 to be actually inserted into theprogram from ID information I generated from distribution destination 40information (step 401).

Next, watermark insertion section 202 configures function F21 thatoutputs constant C1 and function F22 that outputs constant C2 whenwatermark X1 and X2 is used as input (step 402).

Watermark insertion section 202 then embeds in the program code anexpression that assigns watermark X1 and X2 to variables val1 and val2(step 403).

Watermark insertion section 202 then embeds in the program code anexpression that assigns F21(val1, val2) to variable val3, and F22(val1,val2) to variable val4 (step 404).

Next, watermark insertion section 202 embeds in the program code aswatermark verification code a conditional branch that determines whethervariable val3 and constant C1 are equal and halts the program if theyare not equal, and a conditional branch that determines whether variableval4 and constant C2 are equal and halts the program if they are notequal (step 405).

Watermark insertion section 202 then stores the locations at whichwatermark and watermark verification code were inserted in step 403through step 405 in watermark information storage section 206 (step406).

In this way, watermark insertion section 202 inserts in the programwatermark and watermark verification code.

Watermark insertion section 202 inputs the expressions and conditionalbranches (watermark verification code) inserted in step 403 through step405 in the order of execution of the program. A condition for F1 is thatthere should be an inverse function of F1 that generates I uniquely fromX1 and X2, and a condition for F21 and F22 is that F21 (X1, X2)==C1 andF22(X1, X2) ==C2 should not hold other than for X1 and X2 (“==”indicates that the values are equal).

For example, a case will be considered in which ID information=12345678,F1 is a function that divides an 8-digit value into two values from the4th digit, F21 (x, y) and F22(x, y) are 2-variable linear functionsax+by, C1=2345, and C2=5678.

In this case, watermark X1=1234 and X2 =5678 is first generated from F1.F21 and F22 are configured by finding a1, a2, b1, and b2 that satisfythe conditions a1×1234+b1×5678 =2345 and a2×1234+b2×5678 =5678. Forexample, values of a1=1, a2 =0.195667, a2=3.700972, and b2=0.195667satisfy the conditions.

An example of program code generated when Embodiment 1 is applied isshown in FIG. 5.

In FIG. 5, 500 a is a basic program forming the basis input by programinput section 201. Programs 500 b and 500 c are watermark insertionprograms in which watermark and watermark verification code have beeninput in basic program 500 a.

First, in step 403, watermark insertion section 202 inputs watermark X1a (1234) , X1 b (5678) and X2 a (1111), X2 b (2222) generated fromdifferent ID information Ia (12345678) and Ib (11112222) into programs500 b and 500 c (part indicated by reference numeral 501 in the drawing)

Next, in step 404, watermark insertion section 202 inserts mutuallydiffering F21 and F22 respectively into watermark insertion programs 500b and 500 c (part indicated by reference numeral 502 in the drawing).

Then, in step 405, watermark insertion section 202 embeds in the programcode, as watermark verification code, a conditional branch thatdetermines whether variable val3 and constant C1 (2345) are equal andhalts the program if they are not equal (assert(0)), and a conditionalbranch that determines whether variable val4 and constant C2 (5678) areequal and halts the program if they are not equal (assert(0)) (partindicated by reference numeral 503 in the drawing).

The point to be noted here is that, when the differences between the twoprograms 500 b and 500 c are identified, parts 501 and 502 constitutingwatermark are detected, but conditional branches 503 constitutingwatermark verification code are not detected. Consequently, even if awatermark input location is detected by means of collusion attack onprograms 500 b and 500 c, and alteration or deletion of the detectedpart is carried out, alteration or deletion cannot be performed on theconditional branches 503 constituting watermark verification code.Therefore, the watermark verification code part 503 does not meet theconditions, and the program no longer operates.

Thus, in the case of a simple method of altering or deleting only alocation detected by means of collusion attack, it is possible toprevent acquisition of a program that operates normally when allwatermarks are deleted.

For the sake of clarity, source code is used in FIG. 5, but the sameapplies when binary code is used. Also, in the case of conditionalbranches 503, processing is performed so that the program is halted ifthe conditional statement is true, but it is also possible to performprocessing that changes variable values in the program (using a++, forexample) so that the program operates abnormally instead of halting.

Also, in Embodiment 1, two items of watermark are generated from IDinformation, but it is also possible to generate three or more items ofwatermark.

Next, watermark detection section 302 according to Embodiment 1 will bedescribed using FIG. 6. FIG. 6 is a flowchart showing the operation ofwatermark detection section 302 of Embodiment 1.

First, watermark detection section 302 disassembles program executioncode (step 1001).

Next, watermark detection section 302 refers to watermark informationstorage section 305, obtains stored information in which the watermarkinsertion location in the program is stored (that is, a line numberindicating the insertion location), and based on this, specifies theinput location of watermark X1 and X2. Watermark detection section 302then extracts watermark X1 and X2 from the program (step 1002).

Next, watermark detection section 302 generates ID information using theinverse function of function Fl used when generating watermark X1 and X2(step 1003).

In this way, watermark detection section 302 obtains ID information andperforms specification of distribution destination 40.

With the above method, if the code execution order is switched around bymeans of optimization or “obfuscating” (that makes reading moredifficult) by an execution code distribution destination or circulationdestination, it is possible that the assembler line number of awatermark input location will be changed, preventing acquisition of thewatermark. In consideration of such a possibility, the processing instep 1002 may be changed to processing whereby an assignment instructionis sought in lines around the assembler line number indicating theinsertion location, and the operand part of the assignment instructionis extracted.

As described above, according to Embodiment 1, watermark verificationcode (part 503 in FIG. 5) is the same regardless of the distributiondestination, and therefore it is possible to prevent watermarkverification code (part 503 in FIG. 5) from being detected as adifference by means of collusion attack. Consequently, the insertionlocation of watermark verification code cannot be detected by collusionattack. As a result, in the case of a simple method of altering ordeleting only a location detected by means of collusion attack,alteration or deletion of all watermarks cannot be performed, and it isnot possible to generate a program without a watermark (or with analtered watermark) that operates normally. Thus, a distributiondestination cannot generate a program that has no watermark and operatesnormally, and therefore cannot circulate a program illegally.

A mode is also possible in which the processing performed by watermarkinsertion apparatus 20 and watermark extraction apparatus 30 is in theform of a program and is executed by a general-purpose computer.

(Embodiment 2)

Embodiment 2 provides for a case where a person intending to distributea program illegally attempts to alter or delete watermark verificationcode of Embodiment 1 by detecting watermark by means of collusionattack, detecting a location at which a variable generated by a functionused in the detected watermark is used (part indicated by referencenumeral 503 in FIG. 5) ,and altering or deleting the detected location.

Specifically, watermark is used, and watermark verification codenecessary to operate a program normally is inserted in the program.

By this means it is possible to prevent a program from being operatednormally when watermark verification code using watermark is detectedand altered or deleted by means of the above-described procedure.

Embodiment 2 is described in detail below. The difference between thewatermark insertion apparatus in Embodiment 2 and watermark insertionapparatus 20 in Embodiment 1 lies in the operation of watermarkinsertion section 202.

Next, the operation of the watermark insertion section of Embodiment 2will be described using FIG. 7. FIG. 7 is a flowchart showing theoperation of the watermark insertion section of Embodiment 2.

The operations in step 601 and step 602 are the same as the operationsin step 401 and step 402 described in Embodiment 1, and thereforedescriptions thereof are omitted here.

Next, the watermark insertion section generates function F3 thatgenerates C3 so that C1+C2 +C3 =0 from watermark X1 and X2 (step 603).

The watermark insertion section then embeds in the program code anexpression that assigns watermark X1 and X2 to variables val1 and val2(step 604).

The watermark insertion section then embeds in the program code anexpression that assigns F21 (val1, val2) to variable val3, and F22(val1,val2) to variable val4 (step 605).

Next, the watermark insertion section embeds in the program code aswatermark verification code a conditional branch that determines whethervariable val3 and constant C1 are equal and halts the program if theyare not equal, and a conditional branch that determines whether variableval4 and constant C2 are equal and halts the program if they are notequal (step 606).

The watermark insertion section then embeds an expression that assignsF3(val1, val2) to variable val5 (step 607).

Then the watermark insertion section inserts in the program, aswatermark verification code, code that adds val3+val4+val5 to a decisionstatement that determines original code 0 (step 608).

Watermark insertion section 202 then stores the locations at whichwatermark and watermark verification code were inserted in step 604through step 608 in watermark information storage section 206 (step609).

In this way, watermark insertion section 202 inserts a watermark in theprogram.

The points to be noted here are that variables val3, val4, and val5detected by collusion attack are included in val3+val4+val5 inserted instep 608, and that val3+val4+val5 is inserted in the 0 part of thedecision statement related to program operation. As a result, if anillegal user attempts to detect variables (val3, val4, val5) by means ofcollusion attack, and alter or delete a location using variablesgenerated by a function using the detected variables, a decisionstatement related to program operation will also be altered or deleted.Thus, the program will not operate normally, and cannot be usedillegally.

Next, program code generated by a watermark insertion section accordingto Embodiment 2 will be described using FIG. 8.

In FIG. 8, 800 a is a basic program forming the basis input by programinput section 201, and program 800 b is a watermark insertion program inwhich a watermark has been input in basic program 800 a.

In program 800 b, watermark is inserted in the part indicated byreference numeral 701 in step 604, and calculation expressions (code)for watermark verification are inserted in the part indicated byreference numeral 702.

Then, in program 800 b, the processing result of step 608 is inserted inthe part indicated by reference numeral 703. Also, in program 800 b,watermark verification code is inserted in the part indicated byreference numeral 704 in step 606.

The result of generating program 800 b in this way is that, if a personattempting illegal use detects watermark verification code 703 fromprogram 800 b by means of collusion attack and alters or deletes thewatermark verification code, since watermark verification code 703 iscode related to the specifications (related to program input/output inthe original code) , the program will not operate normally if this codeis deleted.

In order to change only the watermark verification code 703 decisionstatement within the watermark, it is necessary to understand theprogram specifications and know that watermark verification code 703 isspecification related code. It takes time to understand the structure ofa program, and watermark deletion cannot be performed by means ofmechanical processing.

The condition C1+C2+F3=0 need not apply. In this case, C1+C2+F3 can beinserted in a decision statement that uses the value obtained fromC1+C2+F3. For example, if C1+C2+F3=1, 1 of a decision statementdetermining 1 is switched with C1+C2+F3.

As described above, according to Embodiment 2, if a location (part 703shown in FIG. 8) at which variables generated by functions used inwatermark (701, 702) detected by means of collusion attack are used isdetected and altered or deleted, it becomes impossible for the programto operate normally. That is to say, it can be made impossible togenerate a program without a watermark (or with an altered watermark)that operates normally, thereby enabling illegal program distribution tobe prevented.

(Embodiment 3)

Embodiment 3 alters code around a location at which watermark andwatermark verification code are input, or all code, by performingprocessing such as “obfuscating.” Consequently, code other than awatermark is detected by collusion attack, thus enabling watermarkalteration or deletion based on collusion attack to be prevented withcertainty.

Embodiment 3 is described in detail below. The difference between thewatermark insertion apparatus in Embodiment 3 and watermark insertionapparatus 20 in Embodiment 1 lies in the operation of watermarkinsertion section 202.

Next, the operation of watermark insertion section 202 of Embodiment 3will be described using FIG. 9. FIG. 9 is a flowchart showing theoperation of watermark insertion section 202 of Embodiment 3.

First, watermark insertion section 202 assigns an initial value of 1 tovariable i (step 800). Then the watermark insertion section divides IDinformation into n items of information, and generates watermark X(1),X(2) . . . (X)n (step 801).

Next, watermark insertion section 202 detects a loop section (while, forstatements) in the program source code (step 802), and inserts watermarkX(i) within the loop (step 803).

Watermark insertion section 202 then “obfuscates” the insertion locationloop section by applying the method described in “Method for ScramblingPrograms Containing Loops” (Monden et al., Technical Report of IEICED-I, Vol. J80-D-I, No.7, pp.644-652, July 1997) (step 804). At thistime, there are a number of variations in the program obfuscatingmethod, and the variation is selected at random (or so as not toduplicate obfuscating executed on a program distributed in the past).

Then, watermark insertion section 202 determines whether variable i isless than or equal to the number of items of watermark n (step 805), andif variable i is less than or equal to n, increments variable i (step806) and proceeds to the processing in step 802. If, on the other hand,variable i is determined not to be less than or equal to n in step805-that is, if all watermark has been input-watermark insertion section202 next compiles the source code, stores the assembler code linenumbers at which watermark was input, outputs the program, andterminates processing (step 807).

Next, program code generated by watermark insertion section 202according to Embodiment 3 will be described using FIG. 10. In FIG. 10,900 a is a basic program forming the basis input by program inputsection 201. Programs 900 b and 900 c are watermark insertion programsin which watermark 901 has been input in basic program 900 a.

In programs 900 b and 900 c, implementation differs according toobfuscating, but the specifications (relationship to programinput/output) are not changed. When the differences between programs 900b and 900 c are identified, since program code has also been modified atlocations other than the watermark location, non-watermark parts 902 aand 902 b are also detected as differences.

Therefore, in order to alter or delete the watermarks of programs 900 band 900 c, it is necessary to analyze the programs and find out whichparts are watermarks unrelated to the program specifications. Sincedetermining whether a part is unrelated to the program specificationsrequires an understanding of the program specifications, it is difficultto mechanically delete a watermark embedded using this method.

As described above, according to Embodiment 3, the watermark insertionsection also operates as an alteration means that performs obfuscatingprocessing so that program specifications are not affected in partsother than a location at which a program watermark is inserted, so thatnon-watermark code in parts related to program specifications isdetected by collusion attack. It is thus difficult to identify awatermark insertion location based on collusion attack. As a result, itis possible to prevent watermark alteration or deletion with certainty,and to prevent illegal program circulation. (Embodiment 4)

In Embodiment 4, a watermark insertion apparatus is provided at adistribution destination, and a watermark is given to a distributedprogram at the distribution destination.

The configuration of an illegal distribution prevention system accordingto Embodiment 4 is described below using FIG. 11. FIG. 11 is aconfiguration diagram of an illegal distribution prevention systemimplemented by means of watermark insertion according to Embodiment 4.Parts identical to parts already described are assigned the same codesas the corresponding previously described parts.

In this system, distribution source 1100 first distributes todistribution destinations 1110 and 1120 respectively ID information 1101and ID information 1102 that uniquely determine distributiondestinations 1110 and 1120 respectively.

In response to this, distribution destinations 1110 and 1120 store IDinformation 1101 and 1102 in watermark insertion apparatuses 20 a and 20b.

Next, distribution source 1100 distributes a program 1103 todistribution destinations 1110 and 1120.

In response to this, distribution destinations 1110 and 1120 generateprograms 1111 and 1121 in which watermarks are inserted in distributedprogram 1103 using watermark insertion apparatuses 20 a and 20 b.

Watermark insertion apparatuses 20 a and 20 b may be watermark insertionapparatuses according to any one of Embodiment 1 through Embodiment 3.

Thereafter, insertion apparatuses 20 a and 20 b transmit storageinformation 1104 and 1105 to distribution source 1100, and distributionsource 1100 holds storage information 1104 and 1105.

If distribution destination 1110 performs illegal secondary distributionto circulation destination 1130, distribution source 1100 obtains thecirculated program 1112, and inputs it together with storage information1104 and 1105 to watermark extraction apparatus 30. Distribution source1100 then acquires ID information 1107 specifying distributiondestination 1110 or 1120 by means of watermark extraction apparatus 30.Distribution source 1100 next compares ID information 1101 and 1102distributed to distribution destinations 1110 and 1120 with acquired IDinformation 1107, and identifies distribution destination 1110 or 1120that illegally circulated the program.

As described above, according to Embodiment 4, it is possible to easilydistribute a program to an unspecified number of distributiondestinations, and insert watermarks at distribution destinations. Thiskind of mode is effective when applied to a system in which it isdesirable to simply distribute programs only, such as programdistribution using digital broadcasting, multicasting or broadcastingvia an IP network, and so forth.

(Embodiment 5)

Embodiment 5 alters a program by adding dummy code that does not affectprogram specifications at a location at which a watermark insertionmethod or other method is implemented. As a result, code other than awatermark is detected at different locations when collusion attack isexecuted, thus enabling watermark alteration or deletion based oncollusion attack to be prevented with certainty.

Next, a watermark insertion apparatus 1200 according to Embodiment 5will be described using FIG. 12. FIG. 12 is a configuration diagram of awatermark insertion apparatus of Embodiment 5.

The operation of program input section 201 of watermark insertionapparatus 1200 according to Embodiment 5 is identical to that of programinput section 201 of watermark insertion apparatus 20 in otherembodiments.

Watermark insertion apparatus 1200 is provided with a dummy method inputsection 1203 that inputs a redundant dummy method that does not affectexecution of a program output by program input section 201. Dummy methodinput section 1203 outputs an input dummy method to a dummy methodinsertion section 1201.

Dummy method insertion section 1201 is a means of adding a dummy methodinput by dummy method input section 1203 as an area for embedding awatermark. Dummy method insertion section 1201 outputs a program towhich a dummy method has been added to a dummy code insertion section1202.

Dummy code insertion section 1202 is an alteration means of performingalteration without changing program specifications by inserting a dummycode pair not necessary for program execution results at locations atwhich all program methods (all methods including the dummy method) areimplemented without affecting program execution. An example of dummycode that could be inserted is the PUSH/POP pair.

Watermark insertion section 202, program output section 203, watermarkdata input section 204, and ID information generation section 205 aremeans identical, respectively, to watermark insertion section 202,program output section 203, watermark data input section 204, and IDinformation generation section 205 of watermark insertion apparatus 20in other embodiments.

Watermark information storage section 1204 stores information on thecorrespondence between characters, numeric values, and symbols used inwatermarks and bit strings, and information on the correspondencebetween bit strings and instruction codes, for watermarks inserted bywatermark insertion section 202. Watermark information storage section1204 also holds a method name and line number as identificationinformation for a dummy method used for watermark insertion. Moreover,when encrypted data is used as watermark data, watermark informationstorage section 1204 also stores key information for decryption of thedata.

In this way, a watermark insertion location can easily be identifiedusing identification information, and watermark can easily be detected.

Next, a watermark extraction apparatus 30 according to Embodiment 5 willbe described. The difference between watermark extraction apparatus 30according to Embodiment 5 and watermark extraction apparatus 30 in otherembodiments lies in the operation of watermark information storagesection 305.

Watermark detection section 302 acquires identification information of amethod used for watermark insertion obtained from watermark informationstorage section 305 in a program output from program input section 301,and checks the method indicated by the identification information.

Next, watermark detection section 302 extracts watermark inserted in theprogram by performing conversion from instruction code to bit string,and from bit string to character, numeric value, or symbol, using thecorrespondence between characters, numeric values, and symbols used inwatermarks and bit strings, and the correspondence between bit stringsand instruction codes, obtained from the same watermark informationstorage section 305.

Watermark detection section 302 generates ID information from anextracted watermark, and outputs it to ID information storage section304.

Watermark information storage section 305 is a means of holdingidentification information of a method in which a watermark is inserted.Watermark information storage section 305 also stores the correspondencebetween characters numeric values, and symbols used in a watermark of adistributed program and bit strings, and the correspondence between bitstrings and instruction codes. Moreover, when inserted watermark isencrypted, watermark information storage section 305 also holds the keyfor decryption of the data. Watermark information storage section 305obtains the correspondence between characters, numeric values, andsymbols and bit strings, the correspondence between bit strings andinstruction codes, identification information for a method in which awatermark is inserted, and a key for decryption of encrypted data, fromwatermark information storage section 1204.

Next, the operation of dummy code insertion section 1202 and watermarkinsertion section 202 of Embodiment 5 will be described using FIG. 13.FIG. 13 is a flowchart showing the operation of dummy code insertionsection 1202 and watermark insertion section 202 of Embodiment 5.

First, dummy code insertion section 1202 assigns an initial value of 1to variable i (step 1300). Then watermark insertion section 202generates watermark S from ID information, using the correspondencebetween characters, numeric values, and symbols and bit strings (step1301).

Dummy code insertion section 1202 then detects a method section(location at which a method is implemented) in the program (step 1302)and determines whether variable i is less than or equal to the totalnumber of methods in the program (step 1303), and if variable i is lessthan or equal to the total number of methods, inserts essentiallyunnecessary dummy code that does not affect the program specifications(step 1304).

There are a number of variations of the dummy code inserted at thistime, and the variation is selected at random, or so as not to duplicatedummy code inserted in a program distributed in the past. That is tosay, dummy code is inserted in such a way that the dummy code will beextracted by collusion attack.

Next, watermark insertion section 202 determines whether the detectedmethod section is a dummy method (step 1305), and if it is a dummymethod, inserts watermark S by applying the method described in “AWatermarking Method for Computer Program” (Monden et al., 1998 Symposiumon Cryptography and Information Security, SCIS ′98-9.2.A, January 1998)(step 1306).

At this time, watermark insertion section 202 also retains dummy methodidentification information (step 1307).

Watermark insertion section 202 then increments variable i (step 1308)and proceeds to the processing in step 1302.

If, on the other hand, variable i is determined not to be less than orequal to the total number of methods in step 1303—that is, if dummy codehas been inserted in all methods, and watermark has been inserted in adummy method thereamong—watermark insertion section 202 outputs aprogram in which watermark has been embedded (step 1309).

With a program generated by watermark insertion section 202 according toEmbodiment 5, implementation differs according to dummy code insertion,but the specifications (relationship to program input/output) are notchanged. Also, since different dummy codes are inserted by therespective programs, when differences between programs are identified inorder to identify a watermark insertion method, methods other than amethod in which a watermark is inserted are also detected asdifferences.

Therefore, in order to alter or delete a program watermark, it isnecessary to analyze the program and find out which method is a dummymethod for watermark insertion unrelated to the program specifications.Since determining whether a part is unrelated to the programspecifications requires an understanding of the program specifications,it is difficult to mechanically delete a watermark embedded using thismethod.

An example of program code generated when Embodiment 5 is applied isshown in FIG. 14.

The program indicated by reference numeral 1600 a in FIG. 14 is thebasic source program. The program resulting from compilation of thisprogram 1600 a is the program that is input from program input section201 to watermark insertion apparatus 1200. For ease of explanation,program 1600 b resulting from disassembly of compiled program 1600 awill be used in the description here.

Program 1600 c and program 1600 d are programs in which differentwatermarks and dummy code are inserted. In programs 1600 a through 1600d, method A2 denotes a dummy method, and the numeral before eachinstruction mnemonic indicates the line number.

First, in step 1301, watermark insertion section 202 generates watermarkS1 (100111 001101 101000 000000 000001) and S2 (100111 001101 101000000000 000010) with 6 bits per character from different ID informationI1 ((C) 01) and I2 ((C) 02) ,respectively, for use by watermarkinsertion programs 1600 c and 1600 d.

Next, in step 1302, dummy code insertion section 1202 detects a methodsection in watermark insertion program 1600 b, and instep 1304 insertsmutually differing dummy code in A1, which is not a dummy method (partindicated by reference numeral 1601 in FIG. 14).

Furthermore, when the method is dummy method A2, in step 1306 watermarkinsertion section 202 embeds as watermark in watermark insertion program1600 b only the number of bits allocated to the instructions subject toembedding from watermark information S1 and S2.

In this example, iconst_0 in method A2 of program 1600 b is aninstruction subject to embedding and 2-bit information is allocatedthereto, and embedding is performed by extracting 2 bits from S1 and S2(part indicated by reference numeral 1602 in FIG. 14).

At this time, watermark insertion section 202 performs extraction fromthe low-order bits of each character, and when extraction is completedfor one entire character, performs extraction from the low-order bits ofthe next character.

Dummy code insertion section 1202 also performs the same kind of dummycode insertion for method A2 as for method Al (part indicated byreference numeral 1603 in FIG. 14).

If the distribution destinations of programs 1600 c and 1600 d are incollusion, and find differences between the programs in order toidentify the watermark information insertion location, the partsindicated by reference numerals 1601 and 1603, which are not watermark,will also be detected together with watermark 1602, making it difficultfor a watermark insertion location to be identified based on collusionattack.

It is thus possible to prevent mechanical alteration or deletion ofwatermark, and to prevent illegal program circulation.

Next, the operation of watermark detection section 302 according toEmbodiment 5 will be described using FIG. 15. FIG. 15 is a flowchartshowing the operation of watermark detection section 302 of Embodiment5.

First, watermark detection section 302 acquires dummy methodidentification information from watermark information storage section305 (step 1500).

Then watermark detection section 302 detects a dummy method section inwhich a dummy method is implemented and a method section in the programusing the acquired identification information (step 1501), and extractswatermark S from the dummy method section using the correspondencebetween bit strings and instruction codes stored in watermarkinformation storage section 305 (step 1502).

Watermark detection section 302 generates ID information uniquelyidentifying the program distribution destination from information storedin ID information storage section 304 and extracted watermark S (step1503), outputs the ID information (step 1504), and terminatesprocessing.

Thus, watermark detection section 302 can easily detect a dummy methodsection and method section by using identification information, and canidentify the program distribution destination by extracting watermark Sfrom the dummy method section. As a result, illegal program circulationcan be prevented.

As described above, according to Embodiment 5, it is possible to insertin a program not only watermark but also dummy code, comprising anexecution code pair, that does not affect the specifications. As aresult, non-watermark code is detected in different places whencollusion attack is performed, making it possible to prevent withcertainty watermark alteration or deletion based on collusion attack.

(Embodiment 6)

Embodiment 6 alters a program by switching around the order of partsother than a watermark insertion location, or the code of the entireprogram. As a result, non-watermark code is detected in different placeswhen collusion attack is performed, making it possible to prevent withcertainty watermark alteration or deletion based on collusion attack.

Embodiment 6 is described in detail below. The difference between thewatermark insertion apparatus in Embodiment 6 and watermark insertionapparatus 20 in Embodiment 1 lies in the operation of watermarkinsertion section 202.

Next, the operation of watermark insertion section 202 of Embodiment 6will be described using FIG. 16. FIG. 16 is a flowchart showing theoperation of watermark insertion section 202 of Embodiment 6.

First, watermark insertion section 202 assigns an initial value of 1 tovariable i (step 1601). Then watermark insertion section 202 generates,from ID information, watermark S (different for each distributiondestination) for embedding in the code (program) (step 1602).

Next, watermark insertion section 202 extracts code parts, within theentire program, that will not affect the specifications-that is, thatwill allow the specifications to be maintained-even if their order isswitched around (step 1603). A code part here means a part of a programcomposed of a plurality of codes.

Watermark insertion section 202 then determines whether variable i isless than or equal to the number (N) of code parts that allow thespecifications to be maintained even if their order is switched around(step 1604), and if variable i is less than or equal to N, switchesaround the order of the code contained in that code part (step 1605) ,increments i (step 1606) , and proceeds to step 1604.

If variable i is not less than or equal to N, watermark insertionsection 202 inserts watermark S in the code (step 1607), compiles thesource code, stores the assembler code line number at which watermark Swas input, outputs the program, and terminates processing (step 1608).

In this way, watermark insertion section 202 converts parts other than alocation at which watermark is input, while maintaining thespecifications, by switching around the order of code parts that allowthe specifications to be maintained even if their order is switchedaround.

Next, program code generated by watermark insertion section 202according to Embodiment 6 will be described using FIG. 17. Program 1700a is an original program input by program input section 201. Programs1700 b and 1700 c are programs in which different watermark 1702 b and1702 c for each distribution destination has been input in originalprogram 1700 a.

Programs 1700 b and 1700 c contain code parts 1701 b and 1701 c, and1703 b and 1703 c. Code parts 1701 b and 1701 c, and 1703 b and 1703 c,are not code parts for insertion of a watermark contained in originalprogram 1700 a, and in these code parts 1701 b and 1701 c, and 1703 band 1703 c, the code sequence of code parts 1701 a and 1701 b that allowthe specifications to be maintained even if their code is switchedaround is changed.

Thus, program 1700 b and program 1700 c have been converted to differentinstruction sequences with respect to program 1700 a, but the overallspecifications have not changed. That is to say, in program 1700 b andprogram 1700 c, program 1700 a has been converted while maintaining itsspecifications. When the differences between programs 1700 b and 1700 care identified, since program code has also been modified at locationsother than the watermark location, non-watermark code parts 1701 b, 1701c, 1703 b, and 1703 c are also detected as differences.

Therefore, in order to alter or delete the watermarks of programs 1700 band 1700 c, it is necessary to analyze the programs and find out whichparts are watermarks that do not affect the program specifications.Since determining whether a part does not affect the programspecifications requires an understanding of the program specifications,it is difficult to mechanically delete a watermark embedded using thismethod.

As described above, according to Embodiment 6, watermark insertionsection 202 operates as a conversion means that detects, from amongprogram parts other than locations at which a program watermark isinserted, program parts that allow the specifications to be maintainedeven if the instruction sequence is switched around, and performssequence conversion of program parts whose instruction sequence can beswitched around without affecting the program specifications—that is tosay, while maintaining the specifications. Consequently, program partsthat do not affect program specifications, comprising non-watermarkcode, are detected by collusion attack. As a result, it is possible toprevent watermark alteration or deletion with certainty, and to preventillegal program circulation.

Also, according to Embodiment 6, with regard to sequence conversion ofprogram parts for which switching around of the instruction sequencepresents no problem, permutations of instruction statements within aprogram part are found, and conversion is performed in accordance with apermutation selected so as to be different for each distributiondestination. As a result, the instruction sequences of program parts forwhich switching around of the instruction sequence presents no problemare different for each distribution destination. It is thus difficult toidentify a program part for which switching around of the instructionsequence presents no problem, and it is possible to prevent watermarkalteration or deletion with certainty.

As a method other than that of conversion in accordance with instructionsequence permutations, the order of program parts for which switchingaround of the instruction sequence presents no problem may be madedifferent for each distribution destination by being converted randomly.

It is also possible to hold historical information on sequenceconversion of code contained in code parts for which sequence switchingpresents no problem, and to use this historical information to performconversion of code parts for which sequence switching presents noproblem so as to be different for each distribution destination.

By this means, sequence conversion of code contained in code parts forwhich sequence switching presents no problem can be made different foreach distribution destination reliably and easily.

This application is based on Japanese Patent Application No.2002-311815filed on Oct. 25, 2002, Japanese Patent Application No.2003-133566 filedon May 12, 2003, and Japanese Patent Application No.2003-324805 filed onSep. 17, 2003, entire contents of which are expressly incorporated byreference herein.

INDUSTRIAL APPLICABILITY

As described above, according to the present invention it is possible toinsert a watermark so that it is difficult to identify the watermarkinsertion location, and therefore the present invention is applicableover a wide range including the circulation of computer programs using anetwork.

1. A watermark insertion apparatus comprising: a watermark insertionsection that inserts in a program watermark that differs for eachprogram distribution destination; and a code insertion section thatinserts in said program watermark verification code that prevents saidprogram from operating correctly when said watermark is tampered with;wherein said watermark verification code is made identical regardless ofsaid distribution destination.
 2. The watermark insertion apparatusaccording to claim 1, wherein said watermark is generated from IDinformation that uniquely determines a program distribution destination.3. The watermark insertion apparatus according to claim 1, furthercomprising a function insertion section that defines a function thatoutputs a predetermined constant from said watermark and inserts anexpression that assigns said function to a variable in said program;wherein said watermark verification code is a conditional branch thatdetermines whether said variable and said constant are equal, and whensaid variable and said constant are not equal halts said program; andsaid watermark verification code is made identical regardless of saiddistribution destination.
 4. The watermark insertion apparatus accordingto claim 1, wherein said watermark verification code is necessary forsaid program to be made to operate correctly.
 5. The watermark insertionapparatus according to claim 4, wherein said watermark verification codehas inserted a calculation expression that does not affect a decisionstatement of a decision branch generated from said watermark in saiddecision branch extracted from said program.
 6. A watermark extractionapparatus comprising: a program input section that inputs a program inwhich the watermark insertion apparatus according to claim 1 hasinserted said watermark and said watermark verification code; and awatermark detection section that extracts said watermark from saidprogram and generates ID information that uniquely identifies saiddistribution destination based on said watermark; wherein a distributiondestination is identified based on generated said ID information.
 7. Aprogram illegal distribution prevention system comprising: the watermarkinsertion apparatus according to claim 1; a program input section thatinputs a program in which the watermark insertion apparatus according toclaim 1 has inserted said watermark and said watermark verificationcode; and a watermark detection section that extracts said watermarkfrom said program and generates ID information that uniquely identifiessaid distribution destination based on said watermark; wherein adistribution destination is identified based on generated said IDinformation.
 8. The program illegal distribution prevention systemaccording to claim 7, wherein said watermark insertion apparatus isprovided at said distribution destination.
 9. A watermark insertionmethod wherein: watermark that differs for each program distributiondestination is inserted in said program and said watermark is used; saidprogram is prevented from operating correctly when said watermark istampered with; and watermark verification code that is identicalregardless of said distribution destination is inserted in said program.10. A watermark insertion method wherein: watermark that differs foreach program distribution destination is inserted in a program; and aperiphery of an insertion location of said watermark or entire saidprogram is converted while maintaining specifications.
 11. A watermarkinsertion program that causes a computer to: insert watermark thatdiffers for each program distribution destination in said program anduse said watermark; prevent said program for distribution from operatingcorrectly when said watermark is tampered with; and insert watermarkverification code that is identical regardless of said distributiondestination in said program for distribution.
 12. A watermark insertionapparatus comprising: a watermark insertion section that inserts in aprogram watermark that differs for each program distributiondestination; and a conversion section that converts a part other than alocation at which said watermark is inserted while maintainingspecifications of said program.
 13. The watermark insertion apparatusaccording to claim 12, wherein said conversion section inserts anexecution code pair that does not affect specifications in a part otherthan a location at which said watermark is inserted.
 14. The watermarkinsertion apparatus according to claim 12, wherein identificationinformation is stored that indicates an insertion location of saidwatermark.
 15. The watermark insertion apparatus according to claim 14,wherein said identification information is a method name or line number.16. The watermark insertion apparatus according to claim 12, whereinsaid conversion section performs obfuscating so that specifications arenot affected in a part other than a location at which said watermark isinserted.
 17. A watermark extraction apparatus comprising: a programinput section that inputs a program in which the watermark insertionapparatus according to claim 12 has inserted said watermark; and awatermark detection section that extracts said watermark from saidprogram; wherein a distribution destination is identified based onextracted said watermark.
 18. A watermark extraction apparatuscomprising: a program input section that inputs a program in which thewatermark insertion apparatus according to claim 15 has inserted saidwatermark; and a watermark detection section that obtains saididentification information, identifies a watermark insertion locationfrom said identification information, and extracts said watermark fromonly identified said watermark insertion location; wherein adistribution destination is identified based on extracted saidwatermark.
 19. A program that causes a computer to: insert in a programwatermark that differs for each program distribution destination; andconvert a part other than a location at which said watermark is insertedwithout changing specifications of said program.
 20. The watermarkinsertion apparatus according to claim 12, wherein said conversionsection converts a sequence of a part that is a part other than alocation at which said watermark is inserted and is a part that does notaffect specifications even if said sequence is switched around.
 21. Thewatermark insertion apparatus according to claim 20, wherein historicalinformation on a part that does not affect said specifications is held,and using said historical information, conversion of a part that doesnot affect said specifications is made to differ for each distributiondestination.